MoinQ: DNS/NEWS/2015-11-13

DNS/NEWS/2015-11-13について、ここに記述してください。

1. scansafe.net issue

It's not clear that things have been repaired.

As of 17:00 PST 12 Nov (01:00 CUT 13 Nov), dig is still showing the suspect IP -- although with a 300 sec TTL (see below):

dig @ns4.mailround.com scansafe.net

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @ns4.mailround.com scansafe.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19078
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;scansafe.net. IN A
;; ANSWER SECTION:
scansafe.net. 300 IN A 208.91.197.132

;; Query time: 47 msec
;; SERVER: 208.91.197.132#53(208.91.197.132)
;; WHEN: Thu Nov 12 17:08:41 2015
;; MSG SIZE rcvd: 46

このひとは毒入りのサーバに問い合わせたらしい。

• つまりns4.mailround.com のつもりが、208.91.197.132 に問い合わせているようだ。

$ dig @208.91.197.132 scansafe.net
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 16462
;; Flags: qr aa rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; scansafe.net.                IN      A

;; ANSWER SECTION:
scansafe.net.           300     IN      A       208.91.197.132

;; Received 46 B
;; Time 2015-11-14 00:14:08 JST
;; From 208.91.197.132@53(UDP) in 189.5 ms

2. 2015-11-14

-- ToshinoriMaeno 2015-11-13 15:10:28

$ dig @ns4.mailround.com scansafe.net
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 49903
;; Flags: qr aa rd; QUERY: 1; ANSWER: 1; AUTHORITY: 3; ADDITIONAL: 4

;; QUESTION SECTION:
;; scansafe.net.                IN      A

;; ANSWER SECTION:
scansafe.net.           3600    IN      A       80.254.145.119

;; AUTHORITY SECTION:
scansafe.net.           3600    IN      NS      ns4.mailround.com.
scansafe.net.           3600    IN      NS      ns5.mailround.com.
scansafe.net.           3600    IN      NS      ns0.mailround.com.

;; ADDITIONAL SECTION:
ns0.mailround.com.      3600    IN      A       80.254.145.110
ns0.mailround.com.      3600    IN      AAAA    2a00:9600:0:818:2::110
ns4.mailround.com.      3600    IN      A       72.37.171.85
ns5.mailround.com.      3600    IN      A       72.37.244.85

;; Received 189 B
;; Time 2015-11-14 00:09:06 JST
;; From 72.37.171.85@53(UDP) in 276.4 ms

3. ztomy.com

ztomy.com がからんでいそうなので、追いかけてみる。 (akamai上か）

http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solutions